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[57] ABSTRACT 

The present invention is a secure Web platform (SWP) 
implementing a mandatory access control policy to enable a 
plurality of remote users operating Web browsers Internet 
access to CGI applications in response to HyperText Trans- 
fer Protocol (HTTP) requests. The SWP employs a computer 
having a compartmentalized process and file structure sepa- 
rated in accordance with a mandatory access control policy 
into an outside compartment comprising a Web server 
having a root directory chrooted to a directory tree contain- 
ing only the minima^ set of fil es required to interface the 
SWP with the Internet, and an inside compartment compris- 
ing a plurality of CGI applications having root directories 
chrooted to a directory separate f rom the Web server such 
th at the Web server cannot communicate directly with the 
C GI applicatio ns, and a trusted gateway agent for commu- 
nicating between the W eb serve r and the CGI applications. 

21 Claims, 3 Drawing Sheets 
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TRUSTED GATEWAY AGENT FOR WEB 
SERVER PROGRAMS 

FIELD OF THE INVENTION 

The present invention relates to methods and apparatus ^ 
for providing a secure environment for operating a World 
Wide Web (WWW) site and, more particularly, to isolating 
the Web Server from the application or applications that run 
on the Web site. 

10 

BACKGROUND OF THE INVENTION 

The Web may be thought of as a global village where 
computers (hosts) are the buildings, and the world-wide 
computer network known as the Internet forms the streets. 15 
The computers have addresses (IP Addresses)consisting of 
four numbers separated by periods. Many hosts also have 
nicknames known as domain names. A Web site typically 
consists of a UNIX or Microsoft Windows based Web server 
that "serves" software or content to other computers at the 2Q 
Web site for temporary use. A Web site is not a single 
application, but a system that provides access to applications 
and data on the server itself, as well as inside an organiza- 
tion. A user utilizes a Web "browser" to access a Web server 
to access anything that the organization wants to make 25 
available, from general information, to transactions, to 
access to a customer database. 

FIG. 1 illustrates a computer 100 executing a Web 
browser program 105 that is employed by a user to com- 
municate over the Internet 110, in a special language called 30 
Hyper Text Transfer Protocol (HTTP) 115, with another 
computer 120 executing a Web server program 125 to obtain 
data. The most basic Web transaction involves the transmis- 
sion of Webpages, written in HyperText Markup Language 
(HTML) from the Web server 125 to the Web browser 105. 35 
Upon request by the user at the Web browser 105, the Web 
server 125 translates the HTML-based Webpage into HTTP 
and sends it over the Internet 110 for display as a Webpage 
at the requesting browser 105. While Web Server 125 may 
contain encryption features such as Netscape's Secure Sock- ^ 
ets Layer or S-HTTP, and a filtering router 130 may be 
employed between the Web browser 105 and Web server 125 
for filtering out any messages that aren't HTTP Web traffic 
bound for the SWP, only HTTP 115 communications 
between Web server 125 and the Web browser 105 are 4S 
protected. 

HTML allows any word(s) on any Webpage to refer 
("link") to any other Webpage. While Webpages do a very 
good job of displaying information in the form of text or 
images, they do not handle decisions, for example, confirm- 50 
ing a correct password and providing for user access or 
provide more sophisticated functions such as placing an 
order for goods or services. Thus, a special programming 
interface known as Common Gateway Interface (CGI) 130 
is employed to extend the capabilities of the Web server 55 
beyond Webpages alone, allowing a level of interaction that 
HTML alone cannot provide. A typical organization 
employs a combination of CGI applications and HTML to 
provide a desired service or product. 

As an example, the banking industry may employ the 60 
Internet for on-line banking transactions at a virtual bank. In 
particular, customers at Web sites on the Internet commu- 
nicate with a Web server situated outside of the virtual bank 
which then invokes a plurality of bank related CGI appli- 
cations within the virtual bank to process requests related to 65 
data stored within a database within the virtual bank. For 
example, one CGI application may be employed for obtain- 
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ing a balance from a checking account, transferring money 
from one account to another, or triggering an electronic bill 
payment. Often the CGI application is a simple front-end to 
a more sophisticated database server connected to a network 
internal to the organization (defined as an Intranet). 

Netscape's Secure Sockets Layer (SSL) protocol, and/or 
EIT's Secure HTTP(S-HTTP) may be employed to provide 
security for HTTP communications between a Web browser 
and a Web server. SSL and S-HTTP provide encryption, 
authentication, integrity, and confidentiality of traffic 
between a client and a server. 

Additional Internet security may be obtained through the 
use of a secure operating system. In particular, HP-UX 
10.09.01 Compartmented Mode Workstation (CMW) sold 
by Hewlett-Packard Company provides an operating system 
that operates in accordance with a Mandatory Access Con- 
trol (MAC) policy that governs the way data may be 
accessed on a trusted system. The MAC policy is a com- 
puterized version of the Department of Defense's long- 
standing multilevel security policy for handling classified 
information with labels that reflect sensitivity, to maintain 
those labels or files and processes in the system, and to 
prevent users not cleared for certain levels of classified 
information from accessing it. Under MAC, all information 
on the system is classified to reflect its sensitivity, all users 
are assigned clearances, and every application runs at a 
specific sensitivity level. Using the MAC policy, the oper- 
ating system controls access based on the relative sensitivity 
of the applications running and the files they access. 

Sensitivity labels are associated with every process (an 
active CGI application manifests itself as a process) and 
filesystem object, and are used as the primary basis for all 
MAC policy decisions. A sensitivity label represents the 
sensitivity of a process or a filesystem object and the data 
each contains. If an application and the file it attempts to 
access have compatible sensitivity labels, it can read, write, 
or possible execute the file. Each new process typically 
inherits the sensitivity label of its parent. For example, if a 
program is executed within a shell (for example, sh(l), 
csh(l), or ksh(l), the new process automatically inherits the 
sensitivity label of the shell process. New files always inherit 
the sensitivity label of the process that creates them. Once 
created, the system provides a special trusted program (the 
File Manager) that may be employed for changing the 
sensitivity label of a file. Most users are allowed to upgrade 
files (to change their sensitivity labels upward, so the new 
sensitivity label dominates the previous one), but are not 
allowed to downgrade files (to reduce their sensitivity label 
so the new label is dominated by the previous label), or to 
cross grade them (so that the new label is incomparable to 
the previous one). 

The effect of the MAC policy is to rigidly control infor- 
mation flow in the system, from process to file to process, to 
prevent accidental or intentional mislabeling of sensitive 
information. To do that, the system compares sensitivity 
labels to determine if a process can access an object. Any 
time a process tries to read, write, or execute a file, the 
system examines the process and object sensitivity labels 
and consults its MAC rules. For each operation a process 
requests, the system determines if the process has mandatory 
read or mandatory write access to the object. Most restric- 
tions that the MAC policy enforces can be summarized by 
the two following rules: 

(1) mandatory read access: A process can read or execute 
a file, search a directory, or (subject to other privilege 
requirements) read the contents of other objects if the 
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process's sensitivity label dominates the object's. All of 
these operations involve transferring data from the 
object to the process, so having such access is referred 
to as "mandatory read" access, 
(2) mandatory write access: A process can write to a file, 5 
remove or create an entry in a directory, or change any 
object's security attributes (including its sensitivity 
label), if the process's sensitivity label is the same as 
the object's. All of these actions involve transferring 
data from the process to the object, so having such 10 
access is called "mandatory write" access. The first rule 
prevents a user who is not cleared for classified infor- 
mation from seeing it. Rule two prevents a user with a 
high clearance from revealing information to other 
users with lower clearances. 15 
There exists a need for a trusted operating system that sets 
up access controls that grant, person by person, authoriza- 
tion to perform different tasks, from viewing files to making 
changes in them to changing a computer network's configu- 
ration. 20 

It would be desirable and of considerable advantage to 
provide a mandatory access control policy to segregate the 
Web server from the CGI application that differs from 
traditional methods employing a Web server and a firewall. 

A bridge between the Web server and the set of CGI 25 
applications could be advantageous when implemented by 
use of a trusted gateway agent to take information from a 
Web browser's HTTP request to the Web server and make 
that information available to the appropriate CGI application 
specified in the HTTP request, especially if the trusted 30 
gateway agent works in conjunction with a mandatory 
access control policy to isolate the Web server and the CGI 
applications to limit the ability of the Web server to invoke 
the CGI applications directly. 

It will be apparent from the foregoing that there is still a 35 
need for a trusted gateway agent that passes arguments or 
input data to the CGI application and returns data from the 
CGI application to the Web server. 

SUMMARY OF THE INVENTION ^ 

The present invention is a secure Web platform (SWP) 
implementing a mandatory access control policy to enable a 
pl urality o f remote jusers ■ opejitinjrjgfe b brows ers Internet 
acces s to CGI applicatio ns in res ponseto HvperText Trans- 
fer Protocol (HTTP) requests. ThT secure Web platform 45 
employs a computer having a compartmentalized process 
and file structure separated in accordance with a mandatory 
access control policy into an outside compartment compris- 
ing a Web^ryej^torvi^^ to a 
directory tree containing only^the-minimal_seL_pX files 50 
requ^^t^lgrfag e the SWP w^ tf^nternet, and an inside 
compartment comprising a plurality of CG I applications 
havinglobt directories enrooted to a directory separate from 
the Web server such that the Web server cannot communi- 
cate directly with the CGI application s. The SWP further 55 
comprises a trusted gateway agent for communicating 
between ^t he_ Web serveT~^d~th^CGI~a^ lications. The 
trusted gateway agent comprises a gateway client program 
running in the outside compartment having a plurality of 
outside CGI links to the CGIjipplications, and a gateway 60 
server program located in the inside compartment, wherein 
the outside CGI links are visible to the Web server and upon 
execution of an outside CGI link, an attempt is made to form 
a link between the Web server and the gateway server 
program, and if ac cepted, the gateway ser ver creates a new 65 
p rocess and myo kes^lhfcXQaesnQ nding CGI app lication and 
co nnects the HTTP data stream to the CG I appl ication. The 
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CGI application employs the HTTP data stream to commu- 
nicate through the gateway server and gateway client to the 
Web browser. 

The mandatory access control policy assigns a plurality of 
sensitivity levels to files within the outside and inside 
compartments. In -particular, a sensitivity label of System 
Outside is assigned to any files requiring write access by the 
Web server,, and a sensitivity label of System is, assigned to 
any files to which the Web server program needs read-only 
access, and a sensitivity label of System Inside is assigned 
to those files that the Web server does not have any access. 
The CGI applications will run with a SL of System Inside for 
those requiring write access and a SL of System for those 
with read-only access. 

Other aspects and advantages of the present invention will 
become apparent from the following detailed description, 
taken in conjunction with the accompanying drawings, 
illustrating by way of example the principles of the inven- 
tion. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a simplified block diagram of a prior art 
computer executing a Web browser to communicate HTTP 
with another computer executing a Web server. 

FIG. 2 depicts a simplified schematic of the preferred 
embodiment of the secure Web platform (SWP). 

FIG. 3 depicts a flowchart representing the preferred 
method of the invention. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

The invention provides a secure Web platform (SWP) 
layered on top of HP UNIX 10.09.01 CMW operating 
system to implement a mandatory access control policy 
enabling a plurality of remote users operating Web browsers 
Internet access to CGI applications in response to HyperText 
Transfer Protocol (HTTP) requests. 

As illustrated in FIG. 2, an HP UNIX CMW based 
computer 200 (an HP 9000 Series 700 series workstation) 
incorporates a layered software secure Web platform 202 
having a compartmentalized process and file structure sepa- 
rated in accordance with a mandatory access control policy 
into an outside compartment 205 comprising a Web server 
210 (commercially available from Netscape) having a root 
directory enrooted to a directory tree containing only the 
minimal set of files required to interface the SWP 202 with 
the Internet 215, and an inside compartment 220 comprising 
a plurality of CGI applications 225 having root directories 
enrooted, prior to execution, to a directory separate from the 
Web server 210 such that the Web server 210 cannot 
communicate directly with the CGI applications 225, as well 
as minimizing the ability of the CGI applications from 
accessing portions of the SWP 202 that they do not need. A 
trusted gateway agent 230 is employed for communicating 
between the outside and the inside compartments. 

All files are labeled INSIDE or OUTSIDE (also, labels of 
SYSLO or SYSHI are employed in the preferred embodi- 
ment but not required to practice the invention), and the 
mandatory access control policy (as dictated by the under- 
lying HPUX 10.09.01 CMW operating system) keeps them 
in separate compartments to prohibit communication 
between them. The mandatory access control policy further 
comprising a plurality of sensitivity labels (SL), wherein a 
SL of System Outside is assigned to any SWP files to which 
the Web server requires write access, a SL of System is 
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assigned to any SWP files to which the Web server program URLojUheHTTP request (Step 320). The gateway client 

210 requires read-only access, and a SL of System Inside is 237s^^es^ati^has been in voked by the Wsb server 210 

assigned for those SWP files to which the Web server does and not another-appUcation~by.checking _the^ffec jive privi- 

not have any access. All of the programs that run on the Web i ege set of its parent-process, (the Web server 2T0)~"for the 

server 210 are also assigned SL's based on where they are 5 netprivaddr privilege, as the Web server 210 must be running 

executed In the ^fault configuration, a program running ^ thc netp rivaddr privilege in order to bind to the^local 

W o T a S ™ S ^T^^? ID L E ^ 1 f mg l fiks ^ aVlDg HTTP port, whereas, children of the Web server process do 

an SLof SYSTEM INSIDE .In the default configuration the not mherit ^ rivil (a ^ a nelwork port 

compartments have the following relationships: (1) pro- number when communicating) (Step 322). Certain ports are 
grams can always read and write files that reside at the same 10 restricted t0 use by privileged processes only, such ports are 
SL; (2) programs can never directly write files which have only available to programs> ^ the Web 2 10, the 
a different SL; (3) programs running at the SYSHI SL can gate way client program 232 and the gateway server program 
read files m any compartment; (4) programs running in the 240 mat have the net p r i va ddr privilege). ^ 
SYSTEM OUTSIDE SL can only read files in the SYSLO 4 . V J 4 v 4 
and OUTSIDE compartments; (5) programs running at the 1S Mi * T ?™ ™ request 15 ^f 1 ' ,? e 
SYSTEM INSIDE SLcan only read files at the SYSLO and 15 ^ mm m ^ * «*n«*on to the gateway server 
SYSTEM INSIDE SL, and (6) programs running at the pt0 g am ^ StBp ^ ^ P ro S ram 240 
SYSLO SL can only read files at the SYSLO SL. Some of ycnh ? s ^S^onon™^ ^ * ^served or a 
the Webpages used by the Web server are stored with a Pnvikged port. The g^y^e^pjpgr^s argument 
SYSLO Si! while others are kept at the SYSTEM INSIDE 20 vector and environment vector are then transferred to he 
SL. This allows very basic information pages (which may 2 ° **T*1T?\ ^ ( 1 ^l' Ifff 3 ^ 
not need as much protection) to be accessed more quickly 45 ^^M^^^^-^^^ elements in the 
and prevent unauthorized modification. The CGI applica- aiTa f V . *f n l < m ? ctw °* b * te ord , cr )' ^ n ^ch element is 
lions 225 and any databases used by the CGI application are mi m form lcn S th ( a S am > DCtwork bvtc ordcr >' data * ^ 
kept at an SL of SYSTEM INSIDE. « ° nce the argument and environment vectors are 
As depicted in the schematic diagram FIG. 2, the flow- transmitted, the gateway server program 240 consults the 
chart FIG. 3, and the trusted gateway agent program runs trus^,gateway^entJ'configuration file" (5ei Appendix C 
(tga.c and tgad.c attached as Appendix A and B, Sam ^ hi S*™* Configuration File") to determine if the 
respectfully), data moves back and forth between a enrooted Z* 1 ™** dlCnt V™®*™ name 15 a vaKdr^uest (Step 335), 
outside compartment 205 and the separate chrooted inside 30 and d *>> what to cxccute what attributes 
compartment 220 by invoking the trusted gateway agent £ oot d " ect0 [* «f and g rou P ldentlt * sensitivity label). 
230, a special, security-aware software program that spans Optionally, the gateway server program may compute the 
the control boundary separating inside and outside compart- checksum of the CGI application executable file and com- 
ments. The Web server 210 is restricted from accessing pare it against a cryptographically strong checksum stored m 
non-essential files by changing the root directory during 35 me ^figuration file; if the checksums do not match, the 
initialization (Step 305). In particular, the Web server 220 request is rejected. 

root directory is chrooted such that the files it needs are the If the request is rejected, the gateway server 2 40 aud its the 
only available ones (Step 310). The trusted gateway agent re ason for the^ failure (Step 340) and transmits an error 
may only be invoked by the Web server 210, and the CGI message to the gateway client 237, which then terminates. If 
applications 225 can, in turn, only be invoked by the trusted 40 me request is accepted, the gateway server 240 strips the 
gateway agent 230. The trusted gateway agent 230 is trans- envir onment of all variables that are not s pecified by the CGI 
parent to both the Web server 210 and the CGI applications protocol (see Appendix D, entitled "CGI Environment 
225, both of which can function as if the trusted gateway Variables"), sen ds a "read y^ acknowled g ment to the gate- 
agent 230 was not present. Notwithstanding, the trusted waxclientrjrogram 237, redirects its standardin puU output 
gateway agent must be able to access both t he Web serv er 45 a nd_error to the gateway client pro g ram.connection ._and uses 
210 and the CG] ap plica tinns 22S The gateway server 240 the execj(2) system.calUo^pkceJt selfjri 
is initialized directly at system boo t time and enabled ap plication 225 that is now_ch rooted to an inside directory 
whenever the Web server 2 10 is enabled (Step 315). In (Step 345). 

particular, the gateway _server 240 reads its configuration file Upon receipt of the "r eady" acknowledgment, the gate- 

(a copy of configuration file "tcb/files/tgad.conf ' is attached 50 way cl ient program _237 copies its standard input through the 

as Appendix B) which specifies the attributes of the trusted networFconnection to the CGI application, and copies the 

gateway agent server 240 process (user ID, group ID, output from that connection to its standard output(acting as 

sensitivity label) as well as the set of CGI applications 225 a "pass-through" filter). Thus, the Web server 210 is writing 

that may be run through the trusted gateway agent 230 and (through the gateway client and gateway server) to the 

how to run them. ss standardjnput of the CGI application 225, and reading that 

Hie trusted gateway agent 230 further comprises a gate- application's standard output (Step 350). Since that CGI 

way client p™£rjm 2^5 n'npi n g in.thrjmiH^" mmpartmfnt application 225 has been invoked with the same argument 

having a pluralit y of outside C GI links 237 to the CGI and environment vectors used to invoke the gateway client 

applications, and a gateway server program 240 located in 237 (which the Web server 210 "thinks" is the real CGI 

the inside compartment 230, wherein the outside CGI links 60 application), the trusted gateway agent 237 is transparent to 

237 are visible to the Web server 210. All of the outside CGI both the Web server 210 and the CGI application 225. 

link 237 directories point to the gateway client 235 and the Additional HTTP requests are handled.similarly as they are 

link name identifies the corresponding CGI application 225 received b y the Web server 210 (Step 360). 

to execute. While the invention has been described and illustrated 

Upon receipt of an HTTP req uest that corre sponds Jo a 65 with reference to specific embodiments employing a UNIX 

CGI application, the Web server 210 attempts to executeone CMW (Compartment Mode Workstation) based operating 

of the pluralityof outside CGI links 237 identified by the system running on an HP 9000 Series 700 workstation, those 
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skilled in the art will recognize that modification and varia- 
tions may be made such that the invention is equally 
applicable to s ecure Web platforms based o n the Microsoft 
Windows NT operating system and most compatihkJiard- 
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ware. While not disclosed in detail, the Secure Web Platform 
could alsojn^ludeanother Netscape or similarly configured 
Web server within the mside_con^artr^^ 
the SVyp to an internal Intra net. 
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APPENDIX A 



/trap/tga.c A 

/* 

* 6(#)80 1.11 tga.c, swp_gw_client, swp_dev 1/19/96 05:21:24, SecureWere, lac. 

* Secure Web Plat of rm Trusted Gateway Agent client application. 

I ^ nls is run as a OGI program by the HTTP daemon process. It connects 
to the TQA server, transmits its argument vector and environment, 

* then connects its standard input and output to the server 

* whxch runs the actual CGI program. 
V 

#if SEC_BASE 

•include <sys/secde fines. h> 
# include <prot.h> 
•endif /* SEC_0ASE */ 



•include "gateway. h" 
•include <stdio.h> 
•include <stdlib.h> 
•include <sys/signal.h> 



void 

PipeC leaner ( ) 
< 

Warn (-Loot connection with server. \n" ) ; 

abortO; 

exit(l); 

} 



int 

main(ArgC, ArgV, EnvP) 
int ArgC; 
char *ArgV[] ; 
char *EnvP(j; 



( 



int IPC; / 

Packet AcJc; / 

char 'Name; /< 
int Result; 

priv__t *Missing; / 
char Message [HUPSizi ? /' 

char *Msg; /' 



r file descriptor for connection to server */ 

r acknowledgement from server */ 

' pointer to SCRIPT _|3AME */ 

r our return code */ 
used to check privileges */ 
place to build an error message */ 
used to point to messages */ 



* we're the client 



tga_client = 1; 



\1 



07/06/2004, EAST Version: 1.4.1 



11 



5,903,732 



12 



/tmp/tgm.a 2 



/* sot up audit data */ 
AudSetAttributes(ArgV[0] ) ; 

/* 

* Security initialization 
*/ 

#if SE€_BASE 

s e t_auth__parameters (ArgC , ArgV ) ; 

initprivsO; 
#if SEC.MAC 

mond_init i ) ; 
♦ondif /* SEC^MAC */ 

/* 

* drop all privileges 
V 

seteffprivst (priv_t *>0,(priv_t *) 0); 
/* 

* and make sure we can raise the ones we'll need later 
V 

if (Missing = checkprivs (priwee{SEQJIETPRIVADDR, 
#i£ SEC„MAC 

SEC^ALLOWMACREAD , SEC_ALLOWMACWRITE, SEC_CVT LABEL, 
SEC_CHSUBJSL, 
#endif /* SEC_MAC */ 
-1))) 

( 

sprintf (Message, "%s: insufficient privilege: missing %s\n', 

ArgV[0], privstostr (Missing, ■,">) / 
Audi t Failure (Message) ; 
Die (Message) ; 

} 

#endif /* SEC^BASE */ 



/* 

* We want to pass a full pathname to the server, if possible, 

* for maximum control over the identity of the CGI program 

* that gets executed by the server. So, if ArgV[0] is not 

* an absolute pathname, replace it with the SERVER_KAME environment 

* variable defined by the CGI specification (which may not be 

* absolute either, but it will not be any worse than the original 

* ArgV [01 . 
V 
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if ((ArgV[0][0] != '/'} && (Name = getenv( "SCRIPT^NAMB' ) ) ) 
ArgV [ 0 ] = getenv( W SCRIPT_NAMK* > ; 



#if SEC_HAC 
/* 

* We're executed by the outside HTTPD process, whiclj means we're 

* running at the OUTSIDE sensitivity level. The server 

* runs at the INSIDE sensitivity level, so in order to communicate with 

* it, we need allowmac. 
*/ 

if ( f orceprivs (priwec { SEC _ALLOWMACREAD , S EC ^ALLOWMACWRITE, -1 ) , NULL) ) 
{ 

/* 

* The Die ( ) function displays the error message and exits . 
V 

Msg="Insuf f icient privilege: client could not raise allowmac \n" ; 
AuditFailure(Msg) ; 
Die (Msg) ; 

} 

#endif /* SBC_KAC */ 
/* 

* now connect to the server 
*/ 

if ( (IPC " ConnectToServerO ) < 0) 
< 

/* ConnectToServerO is responsible for auditing the failure details */ 
Die ( " Server connection failed" > ; 

} 

/* 

* From this point on, the server is responsible for most auditing 
V 

/* 

* shut down cleanly if we lose the connection 
*/ 

signal (SIGPIPB, PipeCleaner) ; 
/* 

* transmit our environment and argument vectors 
V 

if ( JSendVectortlPC. EnvP)) 
{ 

(void) shutdowndPC, 2) ,- 

Msg = "Failed to transmit environment vector"; 
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/tap/tga.o 4 

AuditFailure(BrrMessage(Msg) ) ; 
Die (Msg) ,- 

) 

/* 

* wait for acknowledgement by server 
V 

if (WaitForAckdPC, &Ack) • = GATEWAY_ J ACK ) 
( 

/* 

* if negative acknowledement, read and display error (server 

* will audit the failure) 
V 

if (Ack.Data == GATEWAY JJAK ) 
{ 

Warn ( Reads t ring (IPC) ) ; 
(void) SendAck(lPC) ; 
shutdown(IPC,2) ; 
exi t ( EXIT_FAILURE ) ; 

> 

} 

if (!SendVector<IPC, ArgV) ) 
( 

(void) shutdown (IPC, 2); 

Msg = "Failed to transmit argument vector"; 
AuditFailure(ErrMessage(Msg) ) ; 
Die (Msg) ; 

) 

/* 

* wait for the server to acknowledge receipt of vectors 
*/ 

if (WaitForAckdPC, &Ack) != GATEWA Y_ACK ) 
{ 

/* 

* if negative acknowledement , read and display error (server 

* will audit the failure) 
*/ 

if (Ack.Data =° GATEWA Y_NAK ) 
{ 

Warn ( ReadStr ing ( IPC ) ) ; 
(void) SendAck(lPC) ; 
shutdown (IPC, 2) ; 
exit (EXIT_FAILURE) ; 

> 

) 
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/tap/tga.c 5 



/* 

* cell the server to go ahead and run the program ( "ACK the ACK" ) 
*/ 

if ( iSendAck(IPC) ) 
{ 

(void) shutdown ( IPC , 2); 

Msg = "Failed to transmit go-ahead to server"; 
AuditFailure(Msg) ; 
Die (Msg) ; 

) 

/* 

* Now we copy data back and forth between standard I/O and the server 

* First, be optimistic about the results: 
*/ 

Result = EXIT_SUCCESS; 
/* 

* Second, get rid of SIGPIPE handler; let Shovel () handle it if the 

* connection disappears 
*/ 

signal (SIGPIPE, sig_ign) ,• 
/* 

* Now do the actual "shoveling" of data between stdin/stdout and the 

* socket 
*/ 

if (Shovel (IPC) != SUCCESS ] 

{ 

Msg » "Lost connection to server"; 
Audi t Fai 1 ur e (ErrMes sage (Msg) ) ,- 
Warn (Msg J ; 

Result = EXIT_FAILURE; 

) 

/* 

* Explicitly shut down all connections, just to be safe 
V 

shutdown (IPC, 2); 
shutdown ( 0 , 2 ) / 
shutdown ( 1 , 2) ; 
shutdown ( 2 , 2 ) ; 

/* 

* exit 
*/ 
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return Result; 

> 
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/tfflp/tgad.c 1 

/* »(#)83 1.9 tgad.c, swp_gw_server, swp_dev 1/19/96 09:03:24, SecureWare, Inc. */ 
/* Copyright (C) 1995. All rights reserved. */ 

/* 

* Secure Web Platform Trusted Gateway Agent server 

* Listens for connections on the TGA port. Accept only 

* those coming from a reserved port on the loopback interface. 

* Spawn a child process to handle each connection. 
* 

* Child takes a request for a CGI program; if valid, it runs that CGI program 

* xn on environment determined by the TGA configuration file, with 
♦^standard input and output connected to the client. 

tinclude " server. h" 
/* 

* File descriptor for accepting connections; global so signal handlers 

* con shut it down if needed 
*/ 

static int Master; 
/* 

* main routine - listen for connections and handle them as they 

* arrive 
V 

int 

main ( int ArgC , char *ArgV [ I ) 
( 

int Client; /* £ii e descriptor for connection to single client */ 

unsigned short Port; /* port number to which to bind */ 
#if SEC_BASE 

priv_t *Missing ; /* used to check privileges */ 

♦endif /* SBCJBASE V 

#if SEC_BASE 
/* 

* Security initialization 
*/ 

set_auth_parameters (ArgC , ArgV) ; 

initprivs { ) ; 
#if SEC_MAC 

mand_init ( ) ; 
#endif /* SECJKAC */ 
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/tinp/tgad.c 2 

* drop all privileges 
V 

eeteffprivst (priwec_t *)0, (priwec.t *) 0); 
/* 

* and make sure we can raise the ones we 1 11 need later 
*/ 

if { ! has savedpriv ( SEC_TRUSTED_PROCES S ) ) 

( 

Audit (AUD_ID_STARTUP , AUDIT_RES_FAILED, 
" trust edprocess chain broken"); 
Die('Trustedprocess chain broken\n"); 



if {Missing = checkprivs (priwec (SEC_TRUSTED_PROCESS, SEC_FILESYSOPS, 
SEC_NETPRIVADDR , SEC_ALLOWDACWRITE , SEC_CHSUBJLUID , 
SEC_CHSUBJIDENT , 

#if SECJtAC 

SEC_CVTLABEL, SEC_CHSUB JSL , SEC _ALLOWMACREAD, SEC ALLOWMACWRITE . 

#if SEC_ILB 

SEC_NOFLOATSUBJIL , SEC_NOPLQATOBJIL, 
#endif /* SEC_ILB */ 
#endif /* SECJMAC */ 

-1))) 

i 

sprintf (Message, "insufficient privilege: missing %s\n" , privstostr (Missing, ■ , • ) ) ; 
Audit (AUD_ID_STARTUP , AUDIT_RES_FAILED, Message); 
Die (Message) ; 

) 

#endif /* SEC_BASE */ 

/* set up port */ 
Port = GATBWAY_PORT; 
if {ArgC > 1) 

Port «* atoi(ArgV[l] ) ; 

if ((Master = Listen ( Port ) ) < 0) 
{ 

strcpy (Message, "Listen connection failed"); 

Audi t ( AUD_ID_STARTUP , AUD I T_RES_FAILED , Me 3 sage ) ; 

Die (Message) ; 

> 

/♦ 

* * 'daemonize* ' ourselves - detach from controlling terminal 
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Daemonize ( ) ; 
/* 

* Log startup 
V 

sprintf (Message, "Startup: listening on port %d\n", Port) ; 
Log (Message) ; 

Audi t ( AUD_ID_STARTUP , AUDIT_JIES_S UCCEEDED , Message ) ; 
/* 

* catch SIGCLD 
*/ 

signal (SIGCLD, HandleChildExit) ; 
/* 

* loop forever (or until we get a SIGTERM or unhandled signal 
*/ 

for (;;) 
( 

if ((Client - Accept (Master) > >~ 0) 
< 

Handle (Client , Master) ; 

} 

> 

) 

/* 

* Function to handle a new connection. Fork a new process, log 

* everything, and return. Child process then runs the Child 

* function to do the actual work of running the CGI program. 
*/ 

int 

Handle (FD, Master) 
int FD; 
int Master ; 
( 

int ChildPID; /* forkO return */ 

time_t ConnectTime; /* time connection came in */ 

static unsigned int 

Connect ionCount -0; /* keep a running count of connections */ 

/* 

* i£ we got to this function, we have a connection - bump the 

* count and log it 
*/ 

ConnectTime « time(0); 
Connect i onCount + + ; 
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sprintf (Message, "got connection %d\n", ConnectionCount) ; 
Log {Message) ; 

AudlnitO ; 

AudS e t ( AUD_CONNECT_J3AT E , &ConnectTime) ; 
/* 

* fork a child process to handle this connection 
V 

if ((ChildPID = fork()) < 0) 
{ 

sprintf (Message, "connection %d: fork failed", CormectionCount) ; 
AuditFailure (Message) 7 
return 0 ; 

} 

/* 

* Parent closes the connection to the client and returns 
*/ 

if (ChildPID) 
{ 

close (PD) ; 
return ; 

} 

/* — Child from here on — */ 
/* 

* Log startup 
*/ 

sprint f (Message, "spawned to handle connection %d\n", ConnectionCount); 
Log (Message) ; 

/* 

*^If we're debugging, stop so someone can attach a debugger to us 
#if DEBUG 

Log ("PAUSE - attach debugger and send SIGUSRl\n»); 
s ignal ( SIGUSR1 , no_op ) ; 
pause ( ) ; 
#endif /* DEBUG */ 

/* 

* close the master accept () socket 
*/ 

close (Master) ; 
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/tap/tgad.o 5 

/* 

* and run the child process main function 
*/ 

Child (FD) ; 

> 

/* 

* signal handler for SIGCLD. Log exit status of finsihed child 
V 
void 

HandleChildExitO 
{ 

int Pid; /* Pid of dead child */ 

int Status; /* Status of dead child */ 

char Message [BUFSIZ1 r /* private buffer used in case we get a signal 

* while using the common buffer 
*/ 

/* reap the child */ 
Pid = waitt&Status) ; 

/* log its exit status */ 

sprint £ (Message, "Child %d exited with status %d\n" , Pid, 

WEXITSTATUS (Status ) ) ; 
Log (Message) ; 



} 



/* reinstall the handler for next time */ 
signal (SIGCLD, HandleChildExit) ; 



*if DEBUG 
/* 

* a no-op handlier solely so we can return from a pause () 
*/ 

void 
no_op ( ) 
{ 
> 

#endif /* DEBUG */ 
/* 

* signal handler for SIGTERM - logs event and shuts down cleanly 
*/ 

void 

Shutdown (int SigNo) 
( 

char Message [BUFSIZ] ; /* private buffer used in case we get a signal 

* while using the common buffer 



07/06/2004, EAST Version: 1.4.1 



5,903,732 



31 



32 



/tnp/tgad.c 6 

V 

/* 

* if we recognize the signal, log its name; otherwise log the number 
V 

if (SigNo »« SICTERM) 

strcpy (Message, "Caught SIGTERM - shutting downVn* > ; 

else 

sprintf (Message, "Caught signal %d - shutting down\n" , SigNo); 

Audit {AUD_ID_SH17T DOWN, AU DI T_RES JNTJL L , Message); 
Log (Message) ; 

/* 

* shutdown the main server socket 
V 

shutdown (Master, 2) ; 
/* 

* and exit 
V 

exit(123+SigNo) ; 



/* 

* NAME 

* OpenLog 
* 

* DESCRIPTION 

* Open up the log file (if logging is configured) and redirect 

* standard output and standard error into it 

* PARAMETERS 

* None 
* 

* RETURN VALUE 

* None 
*/ 

void 

OpenLog (void) 
{ 

char *FileName; /* log file name */ 

int LogFile; /* file descriptor */ 

priwec_t SavePrivs; /* used for privilege bracketing */ 

#if SEC_BASE 
/* 
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* we may need privilege to open the file 
V 

if (forceprivs (priwec (SEC^ALLOWDACWRITE, 
#if SEC_MAC 

SEC_JtfiLOWMACWRITE , 

#if SEC_ILB 

SEC_JJOFLOATOBJIL , 

#endif /* SEC_ILB */ 
#endif /* SEC_MAC */ 

-1), SavePrivs) != 0) 

{ 

Quit (Master, "could not open log file: insufficient privileged" , 
QUIT_JVUDIT> ; 

1 

tendif /* SEC^BASB */ 
/* 

* open the log file for append 
V 

/* first make sure logging is enabled; disable it by default */ 
FileName « Vdev/mill"; 

if (Global && Global- >u. server. gw_log) 
{ 

if (Global ->u . server . gw_log_f ile> 

FileName = Global->u. server .gw_log_f ile; 

else 

FileName = GATEWAY_LOG; 

) 

LogFile = open ( Fi leName , 0_WRONLY | O^APPEND | 0_CRSAT ,0600); 
/* 

* now drop the privileges s 
*/ 

(void) seteffprivs (SavePrivs, NULL) ; 
/• 

* abort if we couldn't open the file 
*/ 

if (LogFile < 0) 

Quit (Master, 'Could not open log file for writing", QUIT^UDI?) ; 

/* 

* otherwise redirect output and error into it 
*/ 
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if (dup2 (LogFile, STDOUT _FILENO) 1= STDOUT_FILENO) 

Quit (Master, "Could not redirect standard output into log file", 
QUrr_JttJDIT) ; 

if (dup2 {LogFile, STDERR _FILEN0) ! = STDERR_FILENO) 

Quit (Master, "Could not redirect standard output into log file", 
QUTILAUDIT) ; 

> 

/* 

* standard initialization for a daemon process - detach from controlling 

* terminal, process group, etc. We use OpenLog to redirect output 

* to a log file, which conveniently detaches us from the terminal 

* (once we close stdin. too) . Once we do all that, we 

* fork and the parent exits, leaving the child to run in the background. 
*/ 

void 

Daemonize (void) 
( 

pid_t Pid; /* used to store return value from fork() */ 
/* 

* close input 
*/ 

(void) close (STDIN_FILENO) ; 

/* read the configuration file (and redirect output to log file) */ 
(void) ReadConf ( } ; 

/* 

* disassociate from parent process group 
*/ 

setpgrp() ; 
/* 

* now fork and let the parent exit 
*/ 

if ((Pid = forkO) < 0) 

DieCforkO failed"); 

if (Pid) 

exit (EXIT_SUCCESS) ; 

/* 

* shut down cleanly on SIGTERM; ignore most other signals 
*' 

signal (SIGTERM, Shutdown) ; 



! 07/06/2004, EAST Version: 1.4.1 

i 
! 

I 



5,903,732 



37 



38 



/tap/tgad.c 9 

s ignal ( SIGUSR2 , SIG_IGN > ; 

signal (SIGQUIT, SIG__IGN) ; 

signal (SIGINT,SIG_IGN) ; 

signal (SIGHUP, ReadConf ) ; 
#ifdef SIGTSTP 

signal (SIGTSTP, SIG_IGN) ; 

signal (SIGTTIN, SIG.IGN) ; 

signal (SIGTTOU, SIG_IGW> ; 
#endif 
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APPENDIX C 



CGI Environment Variables 



Environment Variable 



Description 




KJTYPE 



lamkscJutme value if aTrtbtmintrkw mod 



ICONTENTJL^GTH I 




|OONTHNT_TYPE 1 


Internet Media Type of the attached entity 


GATEWAY_JNTERFACE iOGI specification version 


HTTP_* [[header data read from ttecfieat 


HTTPS 


Netscape Commerce Servcr-gpcdflc variable tndkatnig whether or not the 
Secure Sockets later (SSL) encryption protocol is act^ 



►ATHJNK) 



PAIH_TRANSLATED 



REMOTE_JVDDR 



REMOIBJBOST 



r snb-tetomcc to be returned by the QGI script 



g path to ^ that htipd would attcn^ to aoceas 
B A URL~cncodcd search string 
||IP add™ of .^t^ the truest 



REMOTEJDBWT 



^^^^^^donram^m^tea^^seno^^terei^^ 



REMOTE_USER 



[user-ID sent by the client 



REQUEST_METHOD 




about the con nccnon 



with which the request was mada 




SOUDPT_NAMH 



gate that conld 



SERVHU*AMB 



tor this server 



SERVERJPORT 



BSHRVEl 
llSlBRVEl 



on wb&cfa, Oris request was itceiyc d . ^ 



HRVERJPROroOQL Hjaara and tcvisipn of 



SERVERJSOFTWARE flname and version of the information server software 
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APPENDIX D 

rPwresJ Un&x] [Next] 

Sample Server Configuration File 

# 6<4)86 1.8 tgad.conf, awp_gv_aerver, awp d«v 1/19/96 08:47:02 

* Copyright (C) 19W, 1996, SecureKare. Inc." 
t All rights reserved. 

» 

t Saitple con figu ration filo for Trusted Gateway agent server 

f (Send a Si Chop to running tgad to cause it to reread this filo) 

# Global configuration information: 

* gw_uid mo of server process 

# g»_el Sensitivity label of server proooss 

* H". 1 ^ Whetfaea or not lodging is enabled 

* wW.log^f il- location of log filo 

# KOTB: The ran server's logging mechanism ia superfluous if you 

# ha^e auditing enabled, but if yon viah to enable it, change . 

# 'gwJLogfl' to 'gwjlog' In th« lino below. 

cont ig: gw_cypo-aftrv«r : gvuid* S9 : gw_sl-SY8*Sii msiDE : \ 

: g*_loge : gw_ioc_fiilo-/tcb/fiiloa/tgad. log* chlconts 

# Program envixovesnt entries. 

# An environment entry specifies the attributes ror some set ox 001 programs 
t (which aet is determined labor); 

* gw_root The directory to us* as the root for running the 

* programs (via the ohroot<2) system call) 

t gw_dir The direotory (relative to gwjroot) in' which to look 

* for the executable' files: 

J g*_uid the user ID with which to run the CGI prog razes 

J gw_al The sensitivity label at which to run the CGI programs 

* g»_accean Jkoceeeibility of programs in thio environment: 

* 'expUcit' indicate* that only program* with 

* explicit entries in this filo nay be run; 

* 'any' indicates that programs matching wildcard 

* entries nay be run 

f sample environment entry. 

# Hote that in thia example, gw root is aet to '/'; 

t that means that no ehroot(2> Ta performed, and all the C01 programs in thia 

• environment have sooess to the entire filasystem on the host. Also note that 

# gw_uid and gw_al are not seti tbey default to the attrlbntea of 

# the TGh oerver, ao set In the con fig entry above. 

inside : gw_type-cnvlrcmment t g*» root-/;\ 

:gw_dir«cttory-/swp/ins"ide/app/cgiI>in: \ 
: gw_aooeoo-«qplicit : ohkent i 

# Program entries. 

t X program entry specifies the name of the environment to 

# uae for a given program, and may also specify these attributes: 

# gx_uid, gw_ei As above; override the environment setting 
J gw_path Pathname of file to execute; allowa a TQa 

* client link to have a different name from 
J the inside CGI program to which it maps 

t gw_alloved . indicates whether or not the program is 

' allowed to run/ allows specific exclusion of 



(1) 
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programs that would otherwise bo cleared through 
a wildcard entry. 

the key field of a program entry oust be the fall pathname of the program 

aa passed vie ArgvCO) whan the TGa <« — Ky tKr mitir ide ^ 

^server. "The wildcard form ' Vbaoename' allows a given basename to match in 
any direotory, and 'dicaaW allows an entry to refer to all programs in a 
directory at once. An entry named is a default for programs not matching 
*ay other entries. 

If OTB: For purpose* of acoeas oontccl, '*/b*aensms' and 'dimarae/*' are 
considered 'explicit' entries, while '** is not, 

Sample (commented out) entry for program 'myprog* . 

thio entry indeates that when the TGX client is invoked as program 'myprog' 
and contacts the *G\ server, the TQA server will run the program 'altprog' in 
the nnviromaent specified by the 'inside' entry: 

* /x^prog s gw^type-prograni gwenv-inaido ; g^_ollowed:g^j>ath-altprog ; cfckent : 

Baa yle derault entry. 

Onooffloent this entry to allow any program to run through the gateway (provide 
the Proper TGA client exists and the program is in the directory named in the 
'inside' environment above). 

bote: It i» more secure to have no default entry, with an explicit entry tor 
each program. * 

* ! typo-progra«u gw_anv*ins ide : gw^allowed : ehkent : 
Soxple exclusion entry. 

If you ase a wildcard entry, you oaa selectively disallow execution of 
soma programs via entries like the one below. But, as noted above, security 
through inclusion ie better than security through exclusion. 

#*/badprogi g*_type^>rog ram : gw_aUowed0 : ehkent : 



Laat Updated: 2/2/96 
[QjalDad Urate*] [Next] 
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What is claimed is: 

1. A computer based secure Web platform (SWP) imple- 
menting a mandatory access control policy to enable a 
plurality of remote users operating Web browsers commu- 
nicating HyperText Transfer Protocol (HTTP) data streams 
over the Internet access to CGI applications without com- 
promising the security of the SWP, comprising: 

a computer having a compartmentalized process and file 
structure separated in accordance with a mandatory 
access control policy into an outside compartment 
containing a Web server implementing HTTP to inter- 
face the SWP with the Internet and an inside compart- 
ment containing a plurality of CGI applications; and 

a trusted gateway agent program for communicating 
between the outside compartment and the inside com- 
partment; the trusted gateway program further com- 
prising a gateway client program located in the outside 
compartment having a plurality of outside CGI links to 
CGI applications that are visible to the outside Web 
server and a gateway server program located in the 
inside compartment, wherein the outside CGI links are 
visible to the Web server and upon execution of an 
outside CGI link, a network link is opened to the 
gateway server program which invokes the correspond- 
ing CGI application, wherein the gateway server pro- 
gram creates a new process and invokes the corre- 
sponding CGI application and connects the HTTP data 
stream between the CGI application and the gateway 
client, and wherein the CGI application employs the 
HTTP data stream to communicate through the gate- 
way server program and gateway client program to the 
Web browser. 

2. The computer based secure Web platform as claimed in 
claim 1, the Web server further comprising the method step 
of implementing the chroot command to change the root 
directory of the Web server to a directory tree containing 
only the minimum set of files required for the Web server to 
operate. 

3. The computer based secure Web platform (SWP) as 
claimed in claim 2, the mandatory access control policy 
further comprising a plurality of sensitivity labels, wherein 
a sensitivity label of System Outside is assigned to any SWP 
files to which the Web server requires write access, a 
sensitivity label of System is assigned to any SWP files to 
which the Web server program requires read-only access, 
and a sensitivity label of System Inside is assigned for those 
SWP files to which the Web server does not have any access. 

4. The computer based secure Web platform (SWP) as 
claimed in claim 1, the compartmentalized process and file 
structure further comprising the step of: 

chrooting the CGI applications to run in an inside direc- 
tory completely separate from the Web server. 

5. The computer based secure Web platform (SWP) as 
claimed in claim 4, the mandatory access control policy 
further comprising a plurality of sensitivity labels, wherein 
the CGI applications will run with an SL of System Inside 
for files requiring write access and an SL of System for those 
files requiring read-only access. 

6. The computer based secure Web platform (SWP) as 
claimed in claim 4, further comprising a CGI link identifier 
for each CGI application, and wherein, all of the outside CGI 
link directories point to the gateway client program and the 
CGI link identifier identifies the corresponding CGI appli- 
cation to execute. 

7. The computer based secure Web platform (SWP) as 
claimed in claim 1, wherein the Web server executes an 
outside CGI link identified by the URL of the HTTP request 
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forwarded from the Web browser to establish communica- 
tion between the gateway client program and the gateway 
server program, wherein, the gateway server program veri- 
fies the validity of the CGI application request, and if 
5 verified, the gateway server program invokes the actual CGI 
application and connects the HTTP data stream such that the 
inside CGI application may execute. 

8. The computer based secure Web platform as claimed in 
claim 7, the gateway server program being initialized 
directly at system boot time and enabled whenever the Web 
server is enabled, wherein the gateway server program 
listens for Internet protocol connection requests on the 
trusted gateway agent port specified by /etc/services file on 
the secure Web platform, and only accepts connections 
emanating from the same computer host, and only if the 

15 communication port of the connection request is in the 
privileged range. 

9. The computer based secure Web platform as claimed in 
claim 8, the gateway server program further comprising a 
configuration file (tcb/files/tgad.conf) read upon startup that 

20 specifies the attributes of the gateway server program (user 
ID, group ID, sensitivity label) as well as the set of CGI 
applications that may be run through the trusted gateway 
agent 

10. The computer based secure Web platform as claimed 
25 in claim 9, further comprising a child process that is created 

by the gateway server program (via the fork(2) command) 
for executing the CGI application corresponding to each 
accepted connection. 

11. The computer based secure Web platform as claimed 
30 in claim 10, wherein, upon initialization, the gateway server 

program reads the gateway server configuration file(Acb/ 
files/tgad.conf) as well as the set of CGI applications that 
may be invoked by the gateway server program. 

12. The computer based secure Web platform as claimed 
35 in claim 9, wherein, the Web server invokes the netprivaddr 

privilege in order to bind to the reserved communication 
port (80 or 443) for HTTP requests, and wherein the gateway 
server program also requires netprivaddr privilege to bind to 
a reserved port, and wherein the gateway client program 
40 must have the netprivaddr privilege to initiate a connection 
on a reserved port which is required by the gateway server 
program. 

13. The computer based secure Web platform as claimed 
in claim 12, wherein the CGI applications inherit, through 

45 the gateway client and the gateway server, the environment 
variables, command line, and stand I/O file descriptors 
passed to it by Web server. 

14. The computer based secure Web platform as claimed 
in claim 9, the gateway server checking the cryptographic 

50 checksum of the CGI application executable file against a 
cryptographically strong checksum stored in the configura- 
tion file, and if the checksum do not match, the request is 
rejected. 

15. A method for implementing a mandatory access 
55 control policy on a computer based secure web platform 

(SWP) having a compartmentalized process and file struc- 
ture separated in accordance with a mandatory access con- 
trol policy enabling a plurality of remote users operating 
Web browsers communicating HyperText Transfer Protocol 
60 (HTTP) data streams over the Internet access to CGI appli- 
cations without compromising the security of the SWP, 
comprising the method steps of: 

separating the file structure of a computer into an outside 
compartment containing a Web server implementing 
65 HTTP to interface the SWP with the Internet and an 
inside compartment containing a plurality of CGI 
applications, and 
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communicating between the outside compartment and the 
inside compartment with a trusted gateway agent pro- 
gram having a gateway client program located in the 
outside compartment with a plurality of outside CGI 
links to CGI applications that are visible to the outside 
Web server and a gateway server program located in the 
inside compartment, 

chrooting the root directory of the Web server to a 
directory tree containing only the minimum set of files 
required for the Web server to operate, 

assigning an a link identifier to the CGI applications such 
that all of the outside CGI link directories point to the 
gateway client program and the link identifier identifies 
the corresponding CGI application to execute, 

invoking the trusted gateway agent to communicate 
between the outside compartment and the inside 
compartment, 

verifying the validity of the HTTP request from the Web 
server to execute a CGI application, 

establishing a connection between the gateway client 
program and the gateway server program, 

transferring gateway client program environment and 
argument vectors to gateway server program, 

verifying the validity of the CGI request, 

chrooting the CGI applications to run in an inside direc- 
tory completely separate from the Web server, 

invoking the CGI application and connecting the HTTP 
data str eam if the CGI reques t is valid: ' 

16. The method for implementing a mandatory access 
control policy on a computer based secure web platform 
(SWP) as claimed in claim 15, further comprising the step 
of assigning sensitivity labels in accordance with a manda- 
tory access policy the mandatory access control policy, 
wherein a sensitivity label of System Outside is assigned to 
any SWP files to which the Web server requires write access, 
a sensitivity label of System is assigned to any SWP files to 
which the Web server program requires read-only access, 
and a sensitivity label of System Inside is assigned for those 
SWP files to which the Web server does not have any access. 

17. The method for implementing a mandatory access 
control policy on a computer based secure web platform 



(SWP) in accordance with claim 15, the step of assigning 
sensitivity labels further comprises the step of assigning the 
CGI applications a SL of System Inside for files requiring 
write access and an SL of System for those files requiring 
read-only access, 

18. The method for implementing a mandatory access 
control policy on a computer based secure web platform 
(SWP) in accordance with claim 15, the step of invoking the 
trusted gateway agent, further comprising the execution of 
an outside CGI link such that a network link is opened to the 
gateway server program. 

19. The method for implementing a mandatory access 
control policy on a computer based secure web platform 
(SWP) in accordance with claim 18, the step of verifying the 
validity of the HTTP request further comprises the step of 
checking for the netprivaddr privilege as the such privilege 
is required to bind to the local HTTP port. 

20. The method for implementing a mandatory access 
control policy on a computer based secure web platform 
(SWP) in accordance with claim 19, the step of verifying the 
validity of the CGI request further comprises the step of 
comparing the trusted gateway agent configuration file to 
determine if the gateway client program name is a valid 
request, and if so, what program to execute and with what 
attributes. 

21. The method for implementing a mandatory access 
control policy on a computer based secure web platform 
(SWP) in accordance with claim 20, the step of invoking the 
CGI application and connecting the HTTP data stream 

30 further comprising the step of striping the environment of all 
variables that are not specified by the CGI protocol if the 
CGI request is valid, 
which then invokes the corresponding CGI application, 
and the gateway server program further comprising the 
step of creating a new process and invoking the corre- 
sponding CGI application and connects the HTTP data 
stream between the CGI application and the gateway 
client, and wherein the CGI application employs the 
HTTP data stream to communicate through the gate- 
way server program and gateway client program to the 
Web browser. 
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